Authdata, preauth plugin headers

[Sam Hartman]

>>>>> "Greg" == Greg Hudson <ghudson at MIT.EDU> writes:

    Greg> 1. Use the new plugin framework.  Doing this will make it
    Greg> easier to make backward-compatible extensions to the interface
    Greg> in the future.  We'll need to add some kind of
    Greg> auto-registration mechanism for pkinit, to avoid adding to the
    Greg> configuration necessary to get it working.

Why won't future mechanisms need this auto-registration?
Why do we want to make them harder.

    Greg> 5. Maybe change to how error data is generated.  I'll need
    Greg> Sam's input here.  Currently, plugins produce an arbitrary
    Greg> blob of e-data to be placed in errors.  FAST requires preauth
    Greg> mechanism error data to be padata.  PKINIT specifies that its
    Greg> errors come packaged as typed-data, which walks and talks like
    Greg> padata but has a different ASN.1 tag.  What we do right now is
    Greg> try to decode the e-data as padata, then try to decode it as
    Greg> typed-data and convert for FAST.  Maybe there's a way we can
    Greg> do better, although I'm not really sure how.

For everything I'm familiar with, you can return errors as padata and
 provide a flag requesting conversion to typed data for some non-fast
 mechanisms.